Opened 6 years ago

Closed 6 years ago

#15225 closed task (fixed)

Investigate why Atlas does not work with the medium-high security slider setting

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords:
Cc: phw, ma1 Actual Points:
Parent ID: #9387 Points:
Reviewer: Sponsor:


Looking for some relays on atlas gives me

JavaScript Error!

There is a problem with your javascript environment, you may have noscript enabled on the remote onionoo backend.

using the medium-high setting of the security slider which allows only HTTPS sourced JavaScript. I wonder whether that is a subtle bug in NoScript or where it is actually going wrong. I can't believe there are HTTP JavaScript requests involved here. Looking at the browser console I only can see HTTPS ones.

In order to get it to work I have to allow NoScript globally which is not an ideal solution.

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by phw

It looks like Atlas' index page includes HTTP-sourced JS when loaded by IE:

    <!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
    <!--[if lt IE 9]>
      <script src=""></script>

The URL seems to support HTTPS just fine, so we can change that easily. Alternatively, IE 9 seems to be old, so I also wouldn't mind if we just dump that snippet.

comment:2 Changed 6 years ago by phw

I committed a fix and uploaded a new, temporary, version of atlas here:

Does this still trigger the error message?

comment:3 Changed 6 years ago by gk

Cc: ma1 added
Status: newneeds_information

Yeah, I saw that (re comment 1) and yes, it is still an issue. But the IE snippet does not get loaded in Tor Browser at all as far as I can see. The issue is a NoScript one. Here is what happens:

Looking at NoScript's isJSEnabled() all scripts for get loaded. But then gets called to check for the DFRIpi relays. We have a window for it and enabled gets set to true due to the globalHTTPSWhitelist option. topSite is still Thus, we need to do another check

            enabled = this.isJSEnabled(topSite);

and this returns false as there is no window for we pass anymore. Thus, scripts loaded from are blocked despite the site that is responsible for the call and the script is self is HTTPS-enabled.

Giorgio, does anything speak against passing the window to isJSEnabled()? (Might be needed in the iframe case, too? I have not checked that yet)

comment:4 Changed 6 years ago by ma1 seems to work fine for me with NoScript and above, default options + globalHTTPSWhitelist.
Am I missing something?

comment:5 in reply to:  4 Changed 6 years ago by gk

Replying to ma1: seems to work fine for me with NoScript and above, default options + globalHTTPSWhitelist.
Am I missing something?

noscript.restrictSubdocScripting must be set to true as well to hit the problem.

comment:6 Changed 6 years ago by ma1

Please check from thanks.

comment:7 Changed 6 years ago by gk

Resolution: fixed
Status: needs_informationclosed

That fixes the issue, thanks.

Note: See TracTickets for help on using tickets.